NET Test Cases (Coming Soon)
This page details all Test Cases available through VSEC Test. All test cases can be run through the VSEC Test web app or via terminal on the Bench.
Supported TLS Cipher Scan
Iterates through all known TLS ciphers and attempts a connection to the web server with each. Accepted ciphers are reported.
Fail Condition: if a weak cipher is accepted the test will be marked as failed.
Parameters
| Name | Default Value | Description |
|---|---|---|
| Network Interface | eth0 | The network interface on which to interact |
| Target IP | 10.1.0.1 | The IP to use when attempting to connect to |
| Target Port | 443 | The port to connect to |
| Temporary IP | 10.1.0.12 | A temporary IP address to set on the network interface, which will be reset after the test completes |
| Temporary Subnet Mask | 255.255.255.0 | A temporary subnet mask to set on the network interface, which will be reset after the test completes |
Outcomes
SUCCESS: The specified TLS server negotiates strong ciphers.
Recommendations:
NO_RESPONSE: The test failed to communicate with the specified target_host
Recommendations:
- Check test parameters, physical connections and device power.
FAILURE: The specified TLS server allows negotiating weak ciphers.
Recommendations:
- Review the destination of the offending TLS connection and modify that server’s configuration.
Example Usage
bw_cli run -a supported_tls_ciphers -p iface=eth0 -p target_host=10.1.0.1 -p target_port=443 -p temp_ip=10.1.0.12 -p temp_mask=255.255.255.0Supported TLS Version Scan
Attempts a connection to the target host with each version of TLS.
Fail Condition: If TLS 1.0 or 1.1 connects successfully the test will be marked as failed.
Parameters
| Name | Default Value | Description |
|---|---|---|
| Network Interface | eth0 | The network interface on which to interact |
| Target IP/hostname | 10.1.0.1 | The IP or hostname to use when attempting to connect to |
| Port | 443 | The port to connect to |
| Temporary IP | 10.1.0.12 | A temporary IP address to set on the network interface, which will be reset after the test completes |
| Temporary Subnet Mask | 255.255.255.0 | A temporary subnet mask to set on the network interface, which will be reset after the test completes |
Outcomes
SUCCESS: The specified TLS server negotiates strong versions.
Recommendations:
NO_RESPONSE: The test failed to communicate with the specified target_host
Recommendations:
- Check test parameters, physical connections and device power.
FAILURE: The specified TLS server allows negotiating weak versions.
Recommendations:
- Review the destination of the offending TLS connection and modify that server’s configuration.
Example Usage
bw_cli run -a supported_tls_versions -p iface=eth0 -p target_host=10.1.0.1 -p target_port=443 -p temp_ip=10.1.0.12 -p temp_mask=255.255.255.0Observed TLS Version
Observes traffic outgoing from a specific IP and checks that its TLS version is at least 1.2.
Fail Condition: If any TLS traffic is sent by the host that is using a version less than TLS 1.2 this test will be marked as failed
Parameters
| Name | Default Value | Description |
|---|---|---|
| Network Interface | eth0 | The network interface on which to interact with the DNS Server |
| Target Host | 10.1.0.1 | The IP who’s packets to inspect |
Outcomes
SUCCESS: No traffic was observed originating from the specified target_host using an insecure TLS version
Recommendations:
NO_RESPONSE: No traffic was observed originating from the specified target_host
Recommendations:
- Check physical connections and device power.
- Ensure you are in a network position where target’s traffic will be seen by test
FAILURE: Communication was observed originating from the target_host using an insecure TLS version.
Recommendations:
- Review the destination of the offending TLS connection and determine if this insecure protocol version can be replaced.
Example Usage
bw_cli run -a observed_tls_version -p iface=eth0 -p target_host=10.1.0.1SSH Password Authentication Check
Checks if an SSH server supports password authentication by attempting to connect to it.
Fail Condition: If the SSH Server does support password authentication, this test will be marked as failed.
Parameters
| Name | Default Value | Description |
|---|---|---|
| Network Interface | eth0 | The network interface on which to interact with the DNS Server |
| Target IP | 10.1.0.1 | The IP to use when attempting to connect |
| Target Port | 8000 | The port to use when attempting to connect |
| Temporary IP | 10.1.0.12 | A temporary IP address to set on the network interface, which will be reset after the test completes |
| Temporary Subnet Mask | 255.255.255.0 | A temporary subnet mask to set on the network interface, which will be reset after the test completes |
Outcomes
SUCCESS: The specified SSH server rejected password login.
Recommendations:
NO_RESPONSE: The test failed to communicate with the specified target_host
Recommendations:
- Check test parameters, physical connections and device power.
FAILURE: The specified SSH server allows password login.
Recommendations:
- Review the offending SSH server and modify that server’s configuration.
Example Usage
bw_cli run -a ssh_pass_check -p iface=eth0 -p target_host=10.1.0.1 -p target_port=8000 -p temp_ip=10.1.0.12 -p temp_mask=255.255.255.0mTLS Self Signed Cert Connection
Attempts to connect to a mutual TLS service with a self signed certificate and expects to be rejected for invalid credentials.
Fail Condition: If any mTLS server accepts a connection with these invalid credentials the test will be marked failed.
Parameters
| Name | Default Value | Description |
|---|---|---|
| Network Interface | eth0 | The network interface on which to interact with the DNS Server |
| mTLS URI | https://10.1.0.1:8883 | The URI of the mTLS Server to attempt to connect to |
| Temporary IP | 10.1.0.12 | A temporary IP address to set on the network interface, which will be reset after the test completes |
| Temporary Subnet Mask | 255.255.255.0 | A temporary subnet mask to set on the network interface, which will be reset after the test completes |
Outcomes
SUCCESS: The specified mTLS server is enforcing client authentication and rejects self signed client certificates.
Recommendations:
NO_RESPONSE: The test failed to communicate with the specified target_host
Recommendations:
- Check test parameters, physical connections and device power.
FAILURE: The specified mTLS server allows authentication with self signed client certificates.
Recommendations:
- Review the destination of the offending TLS connection and modify that server’s configuration.
Example Usage
bw_cli run -a mtls_self_signed -p iface=eth0 -p uri=https://10.1.0.1:8883 -p temp_ip=10.1.0.12 -p temp_mask=255.255.255.0Telnet Check
Attempts to connect to a telnet server at the specified IP and port.
Fail Condition: If a telnet server responds, the test will be marked failed.
Parameters
| Name | Default Value | Description |
|---|---|---|
| Network Interface | eth0 | The network interface on which to interact |
| Target IP | 10.1.0.1 | The IP to use when attempting to connect to |
| Telnet Port | 23 | The port number to attempt to connect to telnet on |
| Temporary IP | 10.1.0.12 | A temporary IP address to set on the network interface, which will be reset after the test completes |
| Temporary Subnet Mask | 255.255.255.0 | A temporary subnet mask to set on the network interface, which will be reset after the test completes |
Outcomes
SUCCESS: The specified Telnet server rejected anonymous login.
Recommendations:
- Ensure the credentials are secure and ideally unique per device.
NO_RESPONSE: The test failed to communicate with the specified target_host
Recommendations:
- Check test parameters, physical connections and device power.
FAILURE: The specified Telnet server allows anonymous login.
Recommendations:
- Review the offending Telnet server and modify that server’s configuration.
Example Usage
bw_cli run -a telnet_check -p iface=eth0 -p target_host=10.1.0.1 -p target_port=23 -p temp_ip=10.1.0.12 -p temp_mask=255.255.255.0